[experimental] add ssh certificate authorities as feature flags (#19208)

gitpod-io · Dec 7, 2023 · 6ecc991 · 6ecc991
1 parent 77ff741
commit 6ecc991
Show file tree

Hide file tree

Showing 7 changed files with 107 additions and 84 deletions.
diff --git a/components/gitpod-protocol/src/protocol.ts b/components/gitpod-protocol/src/protocol.ts
@@ -249,6 +249,7 @@ export const WorkspaceFeatureFlags = {
     workspace_class_limiting: undefined,
     workspace_connection_limiting: undefined,
     workspace_psi: undefined,
+    ssh_ca: undefined,
 };
 export type NamedWorkspaceFeatureFlag = keyof typeof WorkspaceFeatureFlags;
 export namespace NamedWorkspaceFeatureFlag {

diff --git a/components/server/src/workspace/workspace-starter.ts b/components/server/src/workspace/workspace-starter.ts
@@ -936,6 +936,10 @@ export class WorkspaceStarter {
                 featureFlags.push("workspace_psi");
             }
 
+            if (await this.shouldEnableSSHCA(user, workspace.organizationId)) {
+                featureFlags.push("ssh_ca");
+            }
+
             const workspaceClass = await getWorkspaceClassForInstance(
                 ctx,
                 workspace,
@@ -995,6 +999,13 @@ export class WorkspaceStarter {
         return this.entitlementService.limitNetworkConnections(userId, organizationId);
     }
 
+    private async shouldEnableSSHCA(user: User, organizationId: string): Promise<boolean> {
+        return getExperimentsClientForBackend().getValueAsync("isSSHCertificateAuthoritiesEnabled", false, {
+            user: user,
+            teamId: organizationId,
+        });
+    }
+
     private shouldEnablePSI(billingTier: BillingTier): boolean {
         return billingTier === "paid";
     }

diff --git a/components/ws-manager-api/core.proto b/components/ws-manager-api/core.proto
@@ -657,6 +657,9 @@ enum WorkspaceFeatureFlag {
 
     // WORKSPACE_PSI feature flag for enabling pressure stall information for workspaces
     WORKSPACE_PSI = 11;
+
+    // SSH_CA feature flag for enabling SSH CA for workspaces
+    SSH_CA = 12;
 }
 
 // GitSpec configures the Git available within the workspace

diff --git a/components/ws-manager-api/go/core.pb.go b/components/ws-manager-api/go/core.pb.go
diff --git a/components/ws-manager-api/typescript/src/core_pb.d.ts b/components/ws-manager-api/typescript/src/core_pb.d.ts
diff --git a/components/ws-manager-api/typescript/src/core_pb.js b/components/ws-manager-api/typescript/src/core_pb.js
diff --git a/components/ws-manager-mk2/service/manager.go b/components/ws-manager-mk2/service/manager.go
@@ -213,13 +213,15 @@ func (wsm *WorkspaceManagerServer) StartWorkspace(ctx context.Context, req *wsma
 		}
 	}
 
+	var sshGatewayCAPublicKey string
 	for _, feature := range req.Spec.FeatureFlags {
 		switch feature {
 		case wsmanapi.WorkspaceFeatureFlag_WORKSPACE_CONNECTION_LIMITING:
 			annotations[wsk8s.WorkspaceNetConnLimitAnnotation] = util.BooleanTrueString
-
 		case wsmanapi.WorkspaceFeatureFlag_WORKSPACE_PSI:
 			annotations[wsk8s.WorkspacePressureStallInfoAnnotation] = util.BooleanTrueString
+		case wsmanapi.WorkspaceFeatureFlag_SSH_CA:
+			sshGatewayCAPublicKey = wsm.Config.SSHGatewayCAPublicKey
 		}
 	}
 
@@ -281,7 +283,7 @@ func (wsm *WorkspaceManagerServer) StartWorkspace(ctx context.Context, req *wsma
 			Ports:                 ports,
 			SshPublicKeys:         req.Spec.SshPublicKeys,
 			StorageQuota:          int(storage.Value()),
-			SSHGatewayCAPublicKey: wsm.Config.SSHGatewayCAPublicKey,
+			SSHGatewayCAPublicKey: sshGatewayCAPublicKey,
 		},
 	}
 	controllerutil.AddFinalizer(&ws, workspacev1.GitpodFinalizerName)